slf4j-dev

Download

slf4j-dev@qos.ch

February 2019

7 participants
32 discussions

[JIRA] (SLF4J-451) org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
by QOS.CH (JIRA) 04 Feb '19

04 Feb '19

[ https://jira.qos.ch/browse/SLF4J-451?page=com.atlassian.jira.plugin.system.… ] Mark Symons commented on SLF4J-451: ----------------------------------- The CVE reports "before 1.8.0-beta2" and "versions up to (including) 1.7.25". Thus... * The "affects version" field in this issue is incorrect. Should be 1.7.25? * The threat is apparently fixed (1.8.0-beta2) * When might 1.8.0 be released? If 1.8.0 is not close, then could perhaps 1.7.26 be released with a fix? The CVE has a CVSS v3.0 Base Score of 9.8 > org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. > ------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: SLF4J-451 > URL: https://jira.qos.ch/browse/SLF4J-451 > Project: SLF4J > Issue Type: Bug > Components: slf4j-ext > Affects Versions: 1.8.0-beta2 > Environment: Linux > Reporter: Narayan > Assignee: SLF4J developers list > Labels: logging > > More details is available in [https://nvd.nist.gov/vuln/detail/CVE-2018-8088|https://nvd.nist.gov/vuln/de…] -- This message was sent by Atlassian JIRA (v7.3.1#73012)

1 0

[JIRA] (SLF4J-452) MessageFormatter does not escape backslash correctly
by QOS.CH (JIRA) 02 Feb '19

02 Feb '19

Nikolay Yurchenko created SLF4J-452: --------------------------------------- Summary: MessageFormatter does not escape backslash correctly Key: SLF4J-452 URL: https://jira.qos.ch/browse/SLF4J-452 Project: SLF4J Issue Type: Bug Components: Core API Environment: As a fix for SLF4J-52 rudimentary escape syntax was added. Though it isn't correct. Now MessageFormatter.arrayFormat() checks only for 2 cases: escaped curly brace ("\\{" - put raw "\{" into log output) and double escaped curly brace ("\\\{" - put raw "\" into log output and use "\{" as parameter start). But this is incomplete. There may be any number of backslashes: * Triple escaped: "\\\\{" - put "\" and "\{" into log output, no parameter start * Quadruple escaped: "\\\\\{" - put "\" and "\" into log output, use "\{" as parameter start * Pentaple escaped: "\\\\\\{" - put "\", "\" and "\{" into log output, no parameter start * And so on So even if only check slash escaping before opening curly brace, you must check number of slashes. If the number is odd, curly brace is escaped, if number is even, only backslashes are escaped but not the curly brace. Reporter: Nikolay Yurchenko Assignee: SLF4J developers list -- This message was sent by Atlassian JIRA (v7.3.1#73012)

1 0